Best practice for resetting forgotten user passwords

Question

Best practice for resetting forgotten user passwords

As far as I can tell, there are two reasonable ways to reset a password forgotten by the user.

Enter the user's email address and a new plaintext password will be sent to their email address.
The link is sent to their email address with a UID in the URL. By clicking on this, the user receives a form on the website where they can choose their own password.

Which method is preferred and why?

If method 1 is used, perhaps a third party can read the letter and get a new password. If method 2 is used, what does it take for someone to methodically go through the UIDs to try to access the form in order to change the user password?

+5

forgot-password plaintext password-recovery

Lars Apr 15 '13 at 14:45

source share

3 answers

OWASP https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

:

+8

rmblstrp 22 . '14 19:03

, , .

, .

"" .

Be sure to send the username and password separately.

For an Office 365 user, direct them to my forgotten password area or send this link https://passwordreset.microsoftonline.com

Do not bully the user, escalating into an IT manager if the need arises.

0

JERNY SAMALA Mar 6 '18 at 6:20

source share

Laurent S. · Accepted Answer · 2013-04-15T14:55:12+0000

The best template would be:

User requests reset password. This is best done through the username and not indicate whether the username exists or not (to avoid a possible list of users through a script)
You create an entry in a new database table with the user ID, datetime query (= current time and time) and the newly generated GUID
You send an email to the user, pointing to the reset password page with the GUID (and not the user ID) as a parameter
On this page, you should verify that a GUID exists, and ultimately you can specify an expiration date (= user has 1 day to reset, for example)
"" ( ), reset , ...

, , ....

Best practice for resetting forgotten user passwords

More articles: